Should the FDA Create a Cybersecurity Measuring Stick?

The Food and Drug Administration should consider some sort of measuring stick when assessing a vendor's cybersecurity culture to determine if it qualifies for the agency's proposed fast-path program for premarket approval of "software as a medical device" products, some industry stakeholders say.

The FDA accepted comments on its "working model" for a SaMD precertification program through May 31.

The agency will review and incorporate the public feedback as it refines its plans for the proposed program.

The federal Regulations.gov website shows that FDA has received more than 60 comments on its plans for a precertification program to fast-path certain SaMD products for premarket approval. Those comments also include feedback on the FDA's initial plans announced in 2017 for a pilot SaMD vendor precertification program.

Fast-Path Plan for Product Approval

The FDA is proposing to pre-certify vendors of certain medical device software, including some mobile apps, allowing the companies to skip the agency's much more rigorous premarket approval process for hardware-based medical devices.

The proposed voluntary program is for review of software that is "intended to treat, diagnose, cure, mitigate or prevent disease or other conditions." Currently, such software faces the same regulatory review as medical device hardware.

The FDA says its current regulation of medical device hardware "is not well-suited for the faster, iterative design, development and type of validation used for SaMD," according to the agency's working model document issued in April (see FDA Unveils Plan for Software as Medical Device Review).

The FDA proposes to evaluate vendors for precertification based on five "culture of quality and organization excellence principles." In addition to cybersecurity responsibility, the FDA would also evaluate a company's approach to product quality, patient safety, clinical responsibility and whether it has a "proactive culture."

NIST Framework

In its comments, the American Medical Association says the FDA should use "relevant existing standards" where possible and should account for varied size of applicants when assessing vendors.

"An example ... would be the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity," the AMA writes.

"The framework illustrates that there are widely recognized 'gold standard' frameworks, processes, and programs available to support the proposed excellence principle on cybersecurity responsibility," the AMA notes. "NIST's framework is an analog for the overarching FDA goal to balance flexible excellence principle demonstration with the need to ensure an appropriate level of consistency and structure across organizations seeking precertification."

Security Certifications

Other commenters also suggested the FDA consider a vendor's implementation of industry standards - including the use of accepted cybersecurity frameworks - as well as various security certifications as an indication of cybersecurity responsibility.

HIMSS recommends the FDA "separate health/medical risk determination and cybersecurity assessments" in evaluating a vendor for participating in a precertification program for SaMD products.

"For the purposes of the precertification program, the medical risk of the intended use of the device should be the sole element considered for eligibility of a particular product to follow the accelerated pathway to market," HIMSS writes.

HIMSS recommends that the FDA "take a holistic approach" to the cybersecurity assessment not just of individual products, but as part of the criteria for a manufacturer's demonstration of a culture of excellence for their inclusion in the precertification program in the first place.

"Even low-risk products can be compromised and misused in ways that elevate their overall risk," HIMSS writes.

"Strong security requires more than just the implementation of certain features in a particular product and begins with product conception and design and continues through surveillance and updates once a product is delivered to the end-user. These are organizational characteristics that a manufacturer must possess at all levels, and a strong culture of excellence in this area should lead to meaningful risk assessment and mitigation within individual products."

More Transparency Needed

But aside from the FDA collecting comments on its proposed plans for a SaMD precertification program, many healthcare industry stakeholders are growing increasingly concerned about a continuing lack of openness from many medical device makers when it comes to the cybersecurity of their products, says Dale Nordenberg, M.D., leader of the Medical Device Innovation, Safety and Security consortium.

"With a few exceptions ... as a group - our constituents, including key stakeholders like security researchers and healthcare systems - are not seeing a robust level of transparency about cybersecurity from manufacturers - nor the push from FDA - that we'd like to see," Nordenberg says. A lack of transparency from vendors about their medical device cybersecurity practices could potentially impact the credibility of an FDA precertification program, he adds.

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.